CVE-2017-16994

Exploitation Summary

EIP tracks 4 public exploits for CVE-2017-16994. PoCs published by Google Security Research, anonymous, jedai47.

AI-analyzed exploit summary This exploit demonstrates an information leak vulnerability in the Linux kernel's mincore system call when handling VM_HUGETLB VMAs. It triggers uninitialized memory disclosure by repeatedly calling mincore on a large anonymous hugepage mapping.

Description

The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdoslinux

https://www.exploit-db.com/exploits/43178

View Code ZIP pw:eip

This exploit demonstrates an information leak vulnerability in the Linux kernel's mincore system call when handling VM_HUGETLB VMAs. It triggers uninitialized memory disclosure by repeatedly calling mincore on a large anonymous hugepage mapping.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Linux kernel versions before 4.14.2, 4.13.16, 4.9.65, and 4.4.101

No auth needed

Prerequisites: Linux system with vulnerable kernel · Ability to execute unprivileged user code

MITRE ATT&CK

T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by anonymous · clocallinux

https://www.exploit-db.com/exploits/44303

View Code ZIP pw:eip

This exploit leverages CVE-2017-16994 to bypass KASLR and disable mmap_min_addr protections, followed by a null pointer dereference to achieve privilege escalation via shellcode execution. It requires a custom kernel module (/proc/test) to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux Kernel (custom module required)

No auth needed

Prerequisites: Kernel with KASLR enabled · Custom kernel module (/proc/test) loaded · Read access to /proc/kallsyms

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by anonymous · cdoslinux

https://www.exploit-db.com/exploits/44304

View Code ZIP pw:eip

This exploit leverages an information leak vulnerability (CVE-2017-16994) in the Linux kernel's handling of MAP_HUGETLB mappings. It uses mincore to trigger uninitialized memory disclosure, revealing kernel addresses to bypass KASLR.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Linux kernel (versions affected by CVE-2017-16994)

No auth needed

Prerequisites: Linux system with vulnerable kernel · Ability to execute unprivileged code

MITRE ATT&CK

T1082 - System Information Discovery T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by jedai47 · poc

https://github.com/jedai47/CVE-2017-16994

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2017-16994, which involves bypassing KASLR and disabling mmap_min_addr to achieve local privilege escalation via a null pointer dereference in the Linux kernel.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Linux kernel (custom compiled, version not specified)

No auth needed

Prerequisites: Access to /proc/kallsyms · Custom kernel with specific offsets · Ability to load a kernel module (/proc/test)

MITRE ATT&CK